PT-2026-26163 · Apache+1 · Maven-Dependency-Plugin+1
Chrimle
·
Published
2026-03-18
·
Updated
2026-03-19
·
CVE-2026-32735
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
openapi-to-java-records-mustache-templates versions 5.1.1 through 5.5.0
Description
The
openapi-to-java-records-mustache-templates project, specifically its parent POM file (openapi-to-java-records-mustache-templates-parent), uses the maven-dependency-plugin to unpack .mustache files from the openapi-to-java-records-mustache-templates artifact. This process occurs for versions starting from 5.1.1 and prior to 5.5.1. The parent POM file is published and could be misused. If the openapi-to-java-records-mustache-templates artifact were compromised and contained malicious .mustache files, these files would be automatically unpacked during a dependency update. The project's surrounding modules and configurations are not intended for production use and exist solely for testing and maintainability.Recommendations
Do not use the parent POM file (
openapi-to-java-records-mustache-templates-parent) for external use.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Maven-Dependency-Plugin
Openapi-To-Java-Records-Mustache-Templates-Parent